Analysis Overview
SHA256
7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b
Threat Level: Known bad
The file a18b2b6648a6e116fb85974ed5b174eb.exe was found to be: Known bad.
Malicious Activity Summary
Eternity
Detects Eternity clipper
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Runs ping.exe
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-08-26 06:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-08-26 06:00
Reported
2022-08-26 06:03
Platform
win7-20220812-en
Max time kernel
206s
Max time network
210s
Command Line
Signatures
Detects Eternity clipper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Eternity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Clipper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Clipper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Clipper.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe
"C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe"
C:\Users\Admin\AppData\Local\Temp\Stealer.exe
"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
C:\Users\Admin\AppData\Local\Temp\Clipper.exe
"C:\Users\Admin\AppData\Local\Temp\Clipper.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe
"C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet | udp |
| US | 198.251.83.154:80 | rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| N/A | 127.0.0.1:49213 | tcp | |
| US | 185.159.70.47:46031 | tcp | |
| BG | 31.13.195.248:443 | tcp | |
| FR | 178.20.55.18:443 | tcp | |
| NO | 185.90.61.218:443 | tcp | |
| PL | 95.214.53.221:443 | tcp | |
| FI | 65.109.33.23:9001 | tcp | |
| DE | 212.83.43.13:443 | tcp | |
| DE | 212.83.43.13:443 | tcp | |
| PL | 95.214.53.221:443 | tcp | |
| N/A | 127.0.0.1:9050 | tcp |
Files
memory/304-54-0x00000000005F8000-0x0000000000657000-memory.dmp
memory/304-55-0x00000000005F8000-0x0000000000657000-memory.dmp
memory/304-56-0x0000000000220000-0x000000000028C000-memory.dmp
memory/304-57-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/304-58-0x00000000047F0000-0x0000000004868000-memory.dmp
memory/304-59-0x00000000049B0000-0x0000000004A26000-memory.dmp
memory/304-60-0x0000000074C91000-0x0000000074C93000-memory.dmp
\Users\Admin\AppData\Local\Temp\Stealer.exe
| MD5 | d1cdefb0ed7a84fdb2aba99ec065d2e2 |
| SHA1 | 9cad12bc5214a118e72424b6d7799d362383f8f5 |
| SHA256 | 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e |
| SHA512 | a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e |
memory/808-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Stealer.exe
| MD5 | d1cdefb0ed7a84fdb2aba99ec065d2e2 |
| SHA1 | 9cad12bc5214a118e72424b6d7799d362383f8f5 |
| SHA256 | 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e |
| SHA512 | a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e |
C:\Users\Admin\AppData\Local\Temp\Stealer.exe
| MD5 | d1cdefb0ed7a84fdb2aba99ec065d2e2 |
| SHA1 | 9cad12bc5214a118e72424b6d7799d362383f8f5 |
| SHA256 | 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e |
| SHA512 | a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e |
memory/304-65-0x00000000005F8000-0x0000000000657000-memory.dmp
\Users\Admin\AppData\Local\Temp\Clipper.exe
| MD5 | 8ca91deb0b495906ddcb1baf997dedf7 |
| SHA1 | cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4 |
| SHA256 | bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890 |
| SHA512 | b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec |
memory/1160-67-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Clipper.exe
| MD5 | 8ca91deb0b495906ddcb1baf997dedf7 |
| SHA1 | cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4 |
| SHA256 | bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890 |
| SHA512 | b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec |
C:\Users\Admin\AppData\Local\Temp\Clipper.exe
| MD5 | 8ca91deb0b495906ddcb1baf997dedf7 |
| SHA1 | cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4 |
| SHA256 | bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890 |
| SHA512 | b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec |
memory/304-71-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/304-70-0x00000000005F8000-0x0000000000657000-memory.dmp
memory/1160-72-0x0000000000CD0000-0x0000000000CE0000-memory.dmp
memory/808-74-0x0000000000FC0000-0x000000000101A000-memory.dmp
memory/1968-75-0x0000000000000000-mapping.dmp
memory/1484-76-0x0000000000000000-mapping.dmp
memory/468-77-0x0000000000000000-mapping.dmp
memory/824-78-0x0000000000000000-mapping.dmp
memory/468-79-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tor\tor.exe
| MD5 | 67ab12cf6cabc14588e4f51b21c2134a |
| SHA1 | 32a4ff564f38bf4b62007e419f19c991e60d6e14 |
| SHA256 | f0aaae0364306bb7a4681d01935c96c2ac76b3576b7982990f86bcaf811a45ba |
| SHA512 | 2a1c67e9d23d6b050e35c5a8e159309cf598095239406c60a9f721fddc912e21afab7036cbd9f77197cc4241df5f8fa6aa9d7294762659178c6edeb4699d5bec |
memory/1836-80-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Tor\libevent-2-1-7.dll
| MD5 | a3bf8e33948d94d490d4613441685eee |
| SHA1 | 75ed7f6e2855a497f45b15270c3ad4aed6ad02e2 |
| SHA256 | 91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585 |
| SHA512 | c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28 |
\Users\Admin\AppData\Local\Temp\Tor\libevent-2-1-7.dll
| MD5 | a3bf8e33948d94d490d4613441685eee |
| SHA1 | 75ed7f6e2855a497f45b15270c3ad4aed6ad02e2 |
| SHA256 | 91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585 |
| SHA512 | c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28 |
C:\Users\Admin\AppData\Local\Temp\Tor\libssp-0.dll
| MD5 | b77328da7cead5f4623748a70727860d |
| SHA1 | 13b33722c55cca14025b90060e3227db57bf5327 |
| SHA256 | 46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7 |
| SHA512 | 2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2 |
C:\Users\Admin\AppData\Local\Temp\Tor\libgcc_s_sjlj-1.dll
| MD5 | bd40ff3d0ce8d338a1fe4501cd8e9a09 |
| SHA1 | 3aae8c33bf0ec9adf5fbf8a361445969de409b49 |
| SHA256 | ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c |
| SHA512 | 404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1 |
\Users\Admin\AppData\Local\Temp\Tor\libssp-0.dll
| MD5 | b77328da7cead5f4623748a70727860d |
| SHA1 | 13b33722c55cca14025b90060e3227db57bf5327 |
| SHA256 | 46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7 |
| SHA512 | 2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2 |
\Users\Admin\AppData\Local\Temp\Tor\libgcc_s_sjlj-1.dll
| MD5 | bd40ff3d0ce8d338a1fe4501cd8e9a09 |
| SHA1 | 3aae8c33bf0ec9adf5fbf8a361445969de409b49 |
| SHA256 | ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c |
| SHA512 | 404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1 |
C:\Users\Admin\AppData\Local\Temp\Tor\libwinpthread-1.dll
| MD5 | 19d7cc4377f3c09d97c6da06fbabc7dc |
| SHA1 | 3a3ba8f397fb95ed5df22896b2c53a326662fcc9 |
| SHA256 | 228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d |
| SHA512 | 23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a |
\Users\Admin\AppData\Local\Temp\Tor\libwinpthread-1.dll
| MD5 | 19d7cc4377f3c09d97c6da06fbabc7dc |
| SHA1 | 3a3ba8f397fb95ed5df22896b2c53a326662fcc9 |
| SHA256 | 228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d |
| SHA512 | 23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a |
C:\Users\Admin\AppData\Local\Temp\Tor\libcrypto-1_1.dll
| MD5 | 3406f79392c47a72bed2f0067b3ce466 |
| SHA1 | a8e2940d61fc840441c4e2a835959d197929ffdf |
| SHA256 | e4b6b2ca32b1e2ba26959ec7380c4f117418d3a724f60494ff3cb81505fbf43d |
| SHA512 | 930d794aa8715dcd23fafbead7fe2ec95d2863783b4c52279870cad93d5b6cf02ba8a13e2653d2bf731e9882bf63f43a7e44788ce47505346be3fe8e8b872fa4 |
C:\Users\Admin\AppData\Local\Temp\Tor\libssl-1_1.dll
| MD5 | 9e3d55fbf890c6cbffd836f2aef4ba31 |
| SHA1 | 715890ba3bda3431470cca4f4bc492c0f63fa138 |
| SHA256 | e6f4cf41373e8770c670cf5e85461f25385314ed9d8a2b37381bc84f5c0dd5c0 |
| SHA512 | 9848f28fd96c21dd054cbf3e722e56373696c1f7803c137afc7c7203325d9738fa6b984d95cd49ff78a6d95c8f9406f869af3c3783901da3cc003e2b09497d65 |
\Users\Admin\AppData\Local\Temp\Tor\libcrypto-1_1.dll
| MD5 | 3406f79392c47a72bed2f0067b3ce466 |
| SHA1 | a8e2940d61fc840441c4e2a835959d197929ffdf |
| SHA256 | e4b6b2ca32b1e2ba26959ec7380c4f117418d3a724f60494ff3cb81505fbf43d |
| SHA512 | 930d794aa8715dcd23fafbead7fe2ec95d2863783b4c52279870cad93d5b6cf02ba8a13e2653d2bf731e9882bf63f43a7e44788ce47505346be3fe8e8b872fa4 |
\Users\Admin\AppData\Local\Temp\Tor\zlib1.dll
| MD5 | 6f98da9e33cd6f3dd60950413d3638ac |
| SHA1 | e630bdf8cebc165aa81464ff20c1d55272d05675 |
| SHA256 | 219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773 |
| SHA512 | 2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c |
\Users\Admin\AppData\Local\Temp\Tor\libssl-1_1.dll
| MD5 | 9e3d55fbf890c6cbffd836f2aef4ba31 |
| SHA1 | 715890ba3bda3431470cca4f4bc492c0f63fa138 |
| SHA256 | e6f4cf41373e8770c670cf5e85461f25385314ed9d8a2b37381bc84f5c0dd5c0 |
| SHA512 | 9848f28fd96c21dd054cbf3e722e56373696c1f7803c137afc7c7203325d9738fa6b984d95cd49ff78a6d95c8f9406f869af3c3783901da3cc003e2b09497d65 |
C:\Users\Admin\AppData\Local\Temp\Tor\zlib1.dll
| MD5 | 6f98da9e33cd6f3dd60950413d3638ac |
| SHA1 | e630bdf8cebc165aa81464ff20c1d55272d05675 |
| SHA256 | 219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773 |
| SHA512 | 2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c |
memory/1836-97-0x000000006F620000-0x000000006F71B000-memory.dmp
memory/1836-98-0x0000000073370000-0x0000000073396000-memory.dmp
memory/1836-99-0x0000000001020000-0x0000000001433000-memory.dmp
memory/1836-100-0x000000006F620000-0x000000006F71B000-memory.dmp
memory/1836-101-0x000000006F180000-0x000000006F475000-memory.dmp
memory/1836-103-0x0000000073370000-0x0000000073396000-memory.dmp
memory/1836-102-0x000000006F090000-0x000000006F176000-memory.dmp
memory/1836-104-0x0000000001020000-0x0000000001433000-memory.dmp
memory/1836-105-0x0000000001020000-0x0000000001433000-memory.dmp
memory/1836-106-0x0000000001020000-0x0000000001433000-memory.dmp
memory/1748-107-0x0000000000000000-mapping.dmp
memory/1428-108-0x0000000000000000-mapping.dmp
memory/2008-109-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-08-26 06:00
Reported
2022-08-26 06:04
Platform
win10v2004-20220812-en
Max time kernel
233s
Max time network
241s
Command Line
Signatures
Detects Eternity clipper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Eternity
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Clipper.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Clipper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Clipper.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Stealer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe
"C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe"
C:\Users\Admin\AppData\Local\Temp\Stealer.exe
"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
C:\Users\Admin\AppData\Local\Temp\Clipper.exe
"C:\Users\Admin\AppData\Local\Temp\Clipper.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1664 -ip 1664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1408
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name="65001" key=clear
C:\Windows\system32\findstr.exe
findstr Key
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping 127.0.0.1
C:\Windows\system32\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet | udp |
| US | 198.251.83.154:80 | rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
Files
memory/1664-132-0x00000000008F2000-0x0000000000951000-memory.dmp
memory/1664-133-0x00000000005C0000-0x000000000062C000-memory.dmp
memory/1664-134-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/1664-135-0x0000000004E10000-0x00000000053B4000-memory.dmp
memory/4728-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Stealer.exe
| MD5 | d1cdefb0ed7a84fdb2aba99ec065d2e2 |
| SHA1 | 9cad12bc5214a118e72424b6d7799d362383f8f5 |
| SHA256 | 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e |
| SHA512 | a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e |
C:\Users\Admin\AppData\Local\Temp\Stealer.exe
| MD5 | d1cdefb0ed7a84fdb2aba99ec065d2e2 |
| SHA1 | 9cad12bc5214a118e72424b6d7799d362383f8f5 |
| SHA256 | 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e |
| SHA512 | a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e |
memory/4728-139-0x00000243F4CB0000-0x00000243F4D0A000-memory.dmp
memory/4728-140-0x00007FFE80990000-0x00007FFE81451000-memory.dmp
memory/2180-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Clipper.exe
| MD5 | 8ca91deb0b495906ddcb1baf997dedf7 |
| SHA1 | cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4 |
| SHA256 | bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890 |
| SHA512 | b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec |
C:\Users\Admin\AppData\Local\Temp\Clipper.exe
| MD5 | 8ca91deb0b495906ddcb1baf997dedf7 |
| SHA1 | cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4 |
| SHA256 | bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890 |
| SHA512 | b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec |
memory/2180-144-0x0000000000820000-0x0000000000830000-memory.dmp
memory/2180-145-0x00000000060C0000-0x0000000006152000-memory.dmp
memory/1664-146-0x00000000008F2000-0x0000000000951000-memory.dmp
memory/1664-147-0x0000000000400000-0x00000000004E6000-memory.dmp
memory/2180-148-0x0000000006740000-0x000000000674A000-memory.dmp
memory/4728-149-0x00007FFE80990000-0x00007FFE81451000-memory.dmp
memory/5056-150-0x0000000000000000-mapping.dmp
memory/4728-151-0x00000243F8540000-0x00000243F8590000-memory.dmp
memory/1860-152-0x0000000000000000-mapping.dmp
memory/3356-153-0x0000000000000000-mapping.dmp
memory/424-154-0x0000000000000000-mapping.dmp
memory/432-155-0x0000000000000000-mapping.dmp
memory/4628-156-0x0000000000000000-mapping.dmp
memory/4328-157-0x0000000000000000-mapping.dmp
memory/4004-158-0x0000000000000000-mapping.dmp
memory/5100-159-0x0000000000000000-mapping.dmp
memory/4084-160-0x0000000000000000-mapping.dmp
memory/2164-161-0x0000000000000000-mapping.dmp
memory/2208-162-0x0000000000000000-mapping.dmp
memory/4684-163-0x0000000000000000-mapping.dmp
memory/1292-164-0x0000000000000000-mapping.dmp
memory/4728-165-0x00007FFE80990000-0x00007FFE81451000-memory.dmp